> After the 2015 Nuclear deal (Joint Comprehensive Plan of Action), people thought they can finally live normal lives and have normal relations with other countries (See how people celebrated the deal on the night it was finalized). At the time, I was even planning to assemble a new PC and thought it might be better to wait and buy parts from Amazon!
Alas, if even if Iran were to normalize relations with the West, he missed Amazon's good years. His video card would probably be a box with a rock in it.
> Some even claim that the protesters are violent rioters and the government has the right to shoot them with war ammunition.
The administration is trying to distract attention from Iran's brutal protestor crackdown with material implicating the president, FED chair nominee, former DOGE head, FLOTUS biopic director, ...
> “We look forward to moving forward with those claims and note WhatsApp’s denials have all been carefully worded in a way that stops short of denying the central allegation in the complaint – that Meta has the ability to read WhatsApp messages, regardless of its claims about end-to-end encryption.”
My money is on the chats being end to end encrypted and separately uploaded to Facebook.
>being end to end encrypted and separately uploaded to Facebook
That's a cute loophole you thought up, but whatsapp's marketing is pretty unequivocal that they can't read your messages.
>With end-to-end encryption on WhatsApp, your personal messages and calls are secured with a lock. Only you and the person you're talking to can read or listen to them, and no one else, not even WhatsApp
That's not to say it's impossible that they are secretly uploading your messages, but the implication that they could be secretly doing so while not running afoul of their own claims because of cute word games, is outright false.
>That's not to say it's impossible that they are secretly uploading your messages, but the implication that they could be secretly doing so while not running afoul of their own claims because of cute word games, is outright false.
The thing is, if they were uploading your messages, then they'd want to do something with the data.
And humans aren't great at keeping secrets.
So, if the claim is that there's a bunch of data, but everyone who is using it to great gain is completely and totally mum about it, and no one else has ever thought to question where certain inferences were coming from, and no employee ever questioned any API calls or database usage or traffic graph.
Well, that's just about the best damn kept secret in town and I hope my messages are as safe!
Where were the Facebook whistleblowers about the numerous IOS/Android gaps that let the company gain more information than they were to supposed to see? Malicious VPNs, scanning other installed mobile applications, whatever. As far as I know, the big indictments have been found from the outside.
AFAIK that was a separate app, and it was pretty clear that it was MITMing your connections. It's not any different than say, complaining about how there weren't any whistleblowers for fortinet (who sell enterprise firewalls).
I'm not saying they are sending the content back, but WhatsApp has to read your message or it couldn't display it, so I don't even know exactly what that particular claim means?
They most likely mean their service or their employees, but this appears to be marketing fluff and not an enforceable statement.
I wonder if keyword/sentiment extraction on the user's device counts as reading "by WhatsApp"...
There's the conspiracy theory about mentioning a product near the phone and then getting ads for it (which I don't believe), but I feel like I've mentioned products on WhatsApp chats with friends and then got an ad for them on Instagram sometime after.
Also claiming "no one else can read it" is a bit brave, what if the user's phone has spyware that takes screenshots of WhatsApp... (Technically of course it's outside of their scope to protect against this, but try explaining that to a judge who sees their claim and the reality)
The conspiracy theory exists due to quirks of human attention and the wider metadata economy though.
You mention something so you're thinking about it, you're thinking about it probably because you've seen it lately (or it's in the group of things local events are making you think about), and then later you notice an ad for that thing and because you were thinking about it actually notice the ad.
It works with anything in any media form. Like I've had it where I hear a new thing and suddenly it turns up in a book I'm reading as well. Of course people discount that because they don't suspect books of being intelligent agents.
So? You "directly profit" from picking up a bundle of cash robbers dropped as well doing the actual robbery. That doesn't mean someone who does the former is going to do the latter.
My guess is that they are end-to-end encrypted. And because of Facebook's scale that they're able to probabilisticly guess at what's in the encrypted messages (e.g.a message with X hash has Y probability of containing the word "shoes")
If this was happening en-masse, wouldn't this be discovered by the many people reverse engineering WhatsApp? Reverse engineering is hard sophisticated work, but given how popular WhatsApp is plenty of independent security researchers are doing it. I'm quite skeptical Meta could hide some malicious code in WhatsApp that's breaking the E2EE without it being discovered.
I'm technical and work in security. Since it is trivial, please explain. Ideally not using a strawman like "well just run strings and look for uploadPlaintextChatsToServer()".
This was happening en masse, perhaps still does - the cloud backup was unencrypted. Originally it was encrypted. Then, one day, Google stopped counting it towards your storage quota, but it became unencrypted. But even before that, Meta had the encryption keys (and probably still does).
When you get a new phone, all you need is your phone number to retrieve the past chats from backup; nothing else. That proves, regardless of specifics, that Meta can read your chats - they can send it to any new phone.
So it doesn’t really matter that it is E2EE in transit - they just have to wait for the daily backup, and they can read it then.
Well they wouldn't be breaking e2ee, they'd be breaking the implicit promise of e2ee. The chats are still inaccessible to intermediaries, they'd just be stored elsewhere. Like Apple and Microsoft do.
I am not familiar with the state of app RE. But between code obfuscators and the difficulty of distinguishing between 'normal' phone home data and user chats when doing static analysis... I'd say it's not out of the question.
I really doubt this. Any such upload would be visible inside the WhatsApp application, which would make it the world's most exciting (and relatively straightforward) RE project. You can even start with a Java app, so it's extra easy.
Does FAANG apps have antidebug or code obfuscation? At least for google their apps are pretty lightly protected. The maximum extent of obfuscation is the standard compilation/optimization process that most apps go through (eg. r8 or proguard).
Reverse engineering is easy when the source code is available. :)
The difference between source code in a high-level language, and AArch64 machine language, is surmountable. The effort is made easier if you can focus on calls to the crypto and networking libraries.
At some level, the machine code is the source code -- but decompiling AArch64 mobile apps into something like Java is common practice.
As GP alludes, you would be looking for a secondary pathway for message transmission. This would be difficult to hide in AArch64 code (from a skilled practitioner), and extra difficult in decompiled Java.
It would be "easy" enough, and an enormous prize, for anyone in the field.
I've done this work on other mobile apps (not WhatsApp), and the work is not out of the ordinary.
It's difficult to hide subtleties in decompiled code. And anything that looks hairbally gets special attention, if the calling sites or side effects are interesting.
(edit for edit)
> That's certainly the only way messages could be uploaded to Facebook!
Well, there's a primary pathway which should be very obvious. And if there's a secondary pathway, it's probably for telemetry etc. If there are others, or if it isn't telemetry, you dig deeper.
All secrets are out in the open at that point. There are no black boxes in mobile app code.
I've lost track of our points of disagreement here. Sure, it's work, but it's all doable.
Obfuscated code is more difficult to unravel in its orginal form than the decompiled form. Decompiled code is a mess with no guideposts, but that's just a matter of time and patience to fix. It's genuinely tricky to write code that decompiles into deceptive appearances.
Original position is that it'd be difficult to hide side channel leakage of chat messages in the WhatsApp mobile app. I have not worked on the WhatsApp app, but if it's anything like the mobile apps I have analyzed, I think this is the correct position.
If the WhatsApp mobile apps are hairballs of obfuscation and misdirection, I would be a) very surprised, and b) highly suspicious. Since I don't do this work every day any more, I haven't thought much about it. But there are so many people who do this work every day, and WhatsApp is so popular, I'd be genuinely shocked if there were fewer than hundreds of people who have lightly scanned the apps for anything hairbally that would be worth further digging. Maybe I'm wrong and WhatsApp is special though. Happy to be informed if so.
> My money is on the chats being end to end encrypted and separately uploaded to Facebook.
If governments of various countries have compelled Meta to provide a backdoor and also required non-disclosure (e.g. a TCN secretly issued to Meta under Australia's Assistance and Access Act), this is how I imagined they would do it. It technically doesn't break encryption as the receiving device receives the encrypted message.
> My money is on the chats being end to end encrypted and separately uploaded to Facebook.
This is what I've suspected for a long time. I bet that's it. They can already read both ends, no need to b0rk the encryption. It's just them doing their job to protect you from fourth parties, not from themselves.
It encrypts it to all the keys with the phone number registered for that user. Because users are switching phones, but keep their number. But each new WhatsApp app gets a new private key, the old key is not shared. This feature was added later, so the old WhatsApp devs wouldn't know.
So it would be trivial to encrypt to the NSA key also, as done on Windows.
Facebook messenger similarly claims to be end to end encrypted, and yet if it thinks you are sending a link to a pirate site, it "fails to send". I imagine there are a great many blacklisted sites which they shadow block, despite "not being able to read your messages".
My pet conspiracy theory is that the "backup code" which "restores" encrypted messages is there to annoy you into installing the app instead of chatting on the web.
Yes but look who was in charge at the time. In this case we'd likely have Jared Kushner and an AI trained to replicate Hulk Hogan overseeing the transfer of power.
reply